SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

SRX300 totally configured but not internet connection

  • 1.  SRX300 totally configured but not internet connection

    Posted 07-15-2020 04:02

    Hello,

    I currently have a cluster of two SRX300 configured in HA but I cannot connect to the internet

     

    I see HITS in the firewall rule and NAT rule but I don't have internet access.

     

    I PING and resolve names correctly connected through the console port on either of the two nodes, so I understand that the routes are correctly configured.

     

    A curious case is that in the TRUST (LAN) zone I cannot PING, but the trace routes connect perfectly even though all the services and protocols are allowed.

     

    I attach my settings omitting some sensitive data.

     

    ## Last changed: 2020-07-15 11:13:31 CEST
    version 15.1X49-D150.2;
    groups {
        node0 {
            system {
                host-name FW-OMN-01;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 10.111.0.201/24;
                        }
                    }
                }
            }
        }
        node1 {
            system {
                host-name FW-OMN-02;
            }
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 10.111.0.202/24;
                        }
                    }
                }
            }
        }
    }
    apply-groups "${node}";
    system {
        domain-name OMNIACC.CORP;
        time-zone Europe/Madrid;
        root-authentication {
            encrypted-password "xxxxxxxxxxxxxxxxxx";
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
            212.121.128.10;
            212.121.128.11;
        }
        services {
            ssh;
            telnet;
            netconf {
                ssh;
            }
            web-management {
                http {
                    interface fxp0.0;
                }
                https {
                    system-generated-certificate;
                    interface fxp0.0;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file LOGS {
                any any;
                archive files 1;
                structured-data;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server 130.206.3.166;
            server 130.206.0.1;
        }
        inactive: phone-home {
            server https://redirect.juniper.net;
            rfc-complaint;
        }
    }
    chassis {
        cluster {
            reth-count 4;
            redundancy-group 1 {
                node 0 priority 200;
                node 1 priority 100;
                preempt;
            }
            redundancy-group 2 {
                node 0 priority 200;
                node 1 priority 100;
                preempt;
            }
        }
    }
    services {
        application-identification;
    }
    security {
        log {
            mode event;
        }
        address-book {
            RED_OMNIA {
                address RED_OMNIA 10.111.0.0/16;
                attach {
                    zone LAN;
                }
            }
        }
        alg {
            dns disable;
            ftp disable;
            h323 disable;
            msrpc disable;
            sunrpc disable;
            rtsp disable;
            sccp disable;
            sip disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        flow {
            allow-dns-reply;
        }
        nat {
            source {
                rule-set INTERNET_COLT {
                    from zone LAN;
                    to zone WAN;
                    rule INTERNET_COLT {
                        match {
                            source-address 10.111.0.0/16;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone LAN to-zone WAN {
                policy DEFAULT {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                        count;
                    }
                }
            }
            default-policy {
                permit-all;
            }
        }
        zones {
            security-zone LAN {
                description INTERNO;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    reth0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone WAN {
                description EXTERNO;
                host-inbound-traffic {
                    system-services {
                        ping;
                        ssh;
                        dns;
                        http;
                        https;
                        ftp;
                    }
                }
                interfaces {
                    reth1.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/4 {
            ether-options {
                redundant-parent reth0;
            }
        }
        ge-0/0/5 {
            ether-options {
                redundant-parent reth1;
            }
        }
        ge-1/0/4 {
            ether-options {
                redundant-parent reth0;
            }
        }
        ge-1/0/5 {
            ether-options {
                redundant-parent reth1;
            }
        }
        fab0 {
            fabric-options {
                member-interfaces {
                    ge-0/0/2;
                }
            }
        }
        fab1 {
            fabric-options {
                member-interfaces {
                    ge-1/0/2;
                }
            }
        }
        reth0 {
            redundant-ether-options {
                redundancy-group 1;
            }
            unit 0 {
                family inet {
                    address 10.111.0.200/24;
                }
            }
        }
        reth1 {
            redundant-ether-options {
                redundancy-group 2;
            }
            unit 0 {
                family inet {
                    address 213.x.x.x/29;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 213.x.x.x;
            route 11.111.0.0/16 next-hop 10.111.0.1;
            route 10.111.0.0/16 next-hop 10.111.0.1;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }

    Best regards

    PS: sorry for my English


    #SRX300problemsnointernetconnection


  • 2.  RE: SRX300 totally configured but not internet connection

    Posted 07-15-2020 04:11

    Hi Danjr,

     

    Could you please let me know whether you were unable to access the Internet from the SRX? or You were unable to access the Internet when the traffic is passing through the SRX?

     

    Also, please check the sessions to determine whether traffic is being sent and received.

     

    user@host> show security flow session source-prefix  <x.x.x.x> destination-prefix <y.y.y.y>

    user@host> show interfaces terse | match inet

    user@host> show arp no-resolve

    user@host> show chassis cluster status

    user@host> show route 8.8.8.8



  • 3.  RE: SRX300 totally configured but not internet connection

    Posted 07-15-2020 04:50

    Hi noobmaster

     

    unable to access the Internet when the traffic is passing through the SRX

     

    I answer the questions

     

    user@host> show security flow session source-prefix  <10.111.0.200(LAN reth0.0)> destination-prefix <195.78.228.226>

    {primary:node0}
    root@FW-OMN-01> ...prefix 10.111.0.200 destination-prefix 195.78.228.226
    node0:
    --------------------------------------------------------------------------
    Total sessions: 0
    
    node1:
    --------------------------------------------------------------------------
    Total sessions: 0
    
    {primary:node0}
    

    user@host> show interfaces terse | match inet

     

    root@FW-OMN-01> show interfaces terse | match inet
    fab0.0                  up    up   inet     30.17.0.200/24
    fab1.0                  up    up   inet     30.18.0.200/24
    fxp0.0                  up    up   inet     10.111.0.201/24
    fxp1.0                  up    up   inet     129.16.0.1/2
    jsrv.1                  up    up   inet     128.0.0.127/2
    lo0.16384               up    up   inet     127.0.0.1           --> 0/0
    lo0.16385               up    up   inet     10.0.0.1            --> 0/0
    reth0.0                 up    up   inet     10.111.0.200/24
    reth1.0                 up    up   inet     213.x.x.x/29 (IP OF WAN)
    
    {primary:node0}
    

    user@host> show arp no-resolve

     

    root@FW-OMN-01> show arp no-resolve
    MAC Address       Address         Interface         Flags
    f4:bd:9e:8c:0a:d1 10.111.0.1      reth0.0                  none
    f4:bd:9e:8c:0a:d1 10.111.0.1      fxp0.0                   none
    d0:7e:28:a9:04:36 10.111.0.11     reth0.0                  none
    d0:7e:28:a8:e9:36 10.111.0.12     reth0.0                  none
    78:4f:9b:2e:9f:2e 30.17.0.2       fab0.0                   permanent
    78:4f:9b:2c:65:ae 30.18.0.1       fab1.0                   permanent
    78:4f:9b:2e:9e:7f 130.16.0.1      fxp1.0                   none
    00:3a:7d:5f:fc:40 213.X.X.X  reth1.0                  none (IP OF DEFAULT ROUTE/GATEWAY)
    Total entries: 8
    
    

    user@host> show chassis cluster status

     

    root@FW-OMN-01> show chassis cluster status
    Monitor Failure codes:
        CS  Cold Sync monitoring        FL  Fabric Connection monitoring
        GR  GRES monitoring             HW  Hardware monitoring
        IF  Interface monitoring        IP  IP monitoring
        LB  Loopback monitoring         MB  Mbuf monitoring
        NH  Nexthop monitoring          NP  NPC monitoring
        SP  SPU monitoring              SM  Schedule monitoring
        CF  Config Sync monitoring      RE  Relinquish monitoring
    
    Cluster ID: 1
    Node   Priority Status         Preempt Manual   Monitor-failures
    
    Redundancy group: 0 , Failover count: 1
    node0  1        primary        no      no       None
    node1  1        secondary      no      no       None
    
    Redundancy group: 1 , Failover count: 1
    node0  200      primary        yes     no       None
    node1  100      secondary      yes     no       None
    
    Redundancy group: 2 , Failover count: 1
    node0  200      primary        yes     no       None
    node1  100      secondary      yes     no       None
    

     

    user@host> show route 8.8.8.8

     

    root@FW-OMN-01> show route 8.8.8.8
    
    inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 23:56:40
                        > to 213.X.X.X via reth1.0 (GATEWAY/DEFAULT ROUTE)
    

    Best Regards



  • 4.  RE: SRX300 totally configured but not internet connection

    Posted 07-15-2020 05:07

    Hi Danjr,

     

    The configuration looks fine.

     

    Could you please let me know whether you ran the command while the traffic is passing through the SRX?- show security flow session source-prefix  10.111.0.200 destination-prefix 195.78.228.226

     

    Because 10.111.0.200 is your reth0.0 interface IP address, so you need to replace it in the security flow session with the device IP address from where you are initiating the traffic and send me the output once again.



  • 5.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 02:09

    Hi noobmaster

     

    Yes, sorry my fault

     

    Here is the result of the command doing it from my computer

     

    show security flow session source-prefix  10.111.24.22 destination-prefix 195.78.228.226

     

    root@FW-OMN-01> ....111.24.22 destination-prefix 195.78.228.226
    node0:
    --------------------------------------------------------------------------
    
    Session ID: 37087, Policy name: DEFAULT/4, State: Active, Timeout: 2, Valid
      In: 10.111.24.22/52707 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 2, Bytes: 104,
      Out: 195.78.228.226/443 --> 213.27.140.187/62723;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
    
    Session ID: 37088, Policy name: DEFAULT/4, State: Active, Timeout: 2, Valid
      In: 10.111.24.22/52708 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 2, Bytes: 104,
      Out: 195.78.228.226/443 --> 213.27.140.187/44276;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
    
    Session ID: 37089, Policy name: DEFAULT/4, State: Active, Timeout: 2, Valid
      In: 10.111.24.22/52712 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 1, Bytes: 52,
      Out: 195.78.228.226/443 --> 213.27.140.187/34364;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
    Total sessions: 3
    
    node1:
    --------------------------------------------------------------------------
    
    Session ID: 11945, Policy name: DEFAULT/4, State: Backup, Timeout: 14406, Valid
      In: 10.111.24.22/52707 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0,
      Out: 195.78.228.226/443 --> 213.27.140.187/62723;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
    
    Session ID: 11946, Policy name: DEFAULT/4, State: Backup, Timeout: 14404, Valid
      In: 10.111.24.22/52708 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0,
      Out: 195.78.228.226/443 --> 213.27.140.187/44276;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
    
    Session ID: 11947, Policy name: DEFAULT/4, State: Backup, Timeout: 14396, Valid
      In: 10.111.24.22/52712 --> 195.78.228.226/443;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0,
      Out: 195.78.228.226/443 --> 213.27.140.187/34364;tcp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0,
    Total sessions: 3
    
    {primary:node0}
    

     

    Thx



  • 6.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 03:20

    Hi Danjr,

     

    It seems like the SRX has processed and sent the traffic out but there is no return traffic.

     

    Please perform the below steps:

     

    1. Check whether the destination is reachable by some other means such as trying from different network, bypassing SRX etc. Because I suspect the destination is not responding back.
    2. Take packet captures on SRX and this way we can check whether the return traffic are returned back to SRX. Please check the following link for configuring packet captures on SRX Branch series devices - https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709
    3. In the packet capture, if the return traffic are seen then we need to configure flow traceoptions in SRX to determine where the packet is getting dropped in Junos flow.
    4. Check whether you have any firewall filter responsible for blocking the traffic in inbound direction.

                                         user@host# show firewall | display set

                                        user@host#  show interfaces reth1 | display set

     

    Flow traceoptions:

     

    set security flow ​traceoptions file JTAC-FTRACE files 5 size 50m

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions flag packet-drops

    set security flow traceoptions packet-filter PF1 source-prefix 10.111.24.22/32

    set security flow traceoptions packet-filter PF1 destination-prefix 195.78.228.226/32

    set security flow traceoptions packet-filter PF1 destination-port 443

    set security flow traceoptions packet-filter PF2 source-prefix 195.78.228.226/32

    set security flow traceoptions packet-filter PF2 source-port 443

    set security flow traceoptions packet-filter PF2 destination-prefix 213.27.140.187/32

     

    If the traffic doesn't work and the destination server is actually reachable from other networks, please attach the flow traces, firewall filter outputs and packet captures.



  • 7.  RE: SRX300 totally configured but not internet connection
    Best Answer

    Posted 07-16-2020 03:20

    Hi Danjr,

     

    I think your issue is that you have the same subnet on fxp0 for each firewall cluster member + on your reth0.0 (10.111.0.0/24).

     

    In the Junos version you are using, they are utilizing the same routing-table. For a start, please try to configure an alternate prefix on fxp0.0 for both members (you don't have to be able to reach it, so 100.64.0.0/24 or whatever you choose is perfect).

    Of course you then needs to reach the cluster via reth0.0 or console connections during the test.

     

    If this works, then you can solves this permanently by upgrading your SRX300's to minimum Junos 18.3R1 where "management routing-instances" has been introduced for srx. That feature gives you a seperate routing-table for fxp0.0 so IP-net can overlap with reth0.0.

     

    Basically you can do something like this after upgrading:

    set system management-instance
    set routing-instances mgmt_junos routing-options static route 0/0 next-hop 10.11.0.200
    

     

    More information management routing instances: https://www.juniper.net/documentation//en_US/junos/topics/topic-map/management-interface-in-non-default-instance.html

     

    Please let us know if this helps 🙂



  • 8.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 06:30

    Hello,

    You have the same subnet 10.111.0.0/24 assigned to fxp0 and reth0/LAN zone.

    And Your pb symptoms are consistent with this common mistake.

    If You want to keep fxp0 and reth0 both Up/Up at the same time, please do one of below:

    1/ use different subnets for fxp0 and reth0

    2/ put reth0 and reth1 into different routing-instance

    HTH

    Thx

    Alex



  • 9.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 07:51

    Hi Aarseniev,

     

    Guess you are right. I can also see the same ARP being learnt for both the interfaces.

     

    f4:bd:9e:8c:0a:d1 10.111.0.1      reth0.0                  none
    f4:bd:9e:8c:0a:d1 10.111.0.1      fxp0.0                   none

     

    @danjr, can you make the suggested change? or Just deactivate the fxp0 interface for the purpose of testing? 



  • 10.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 10:41

    Hi all

     

    Finally i change the network attached in fxp0 in other subnet and i can ping the reth0.0 interface

     

    To test on my network, I have created a route from the network core that sends traffic to ip 195.78.228.226 through ip 10.111.0.200 and I have connectivity

     

    This route is created so as not to disturb other colleagues and to be able to do tests

     

    When I change the route in my network core to redirect all traffic to 10.111.0.200 I have no connection to anything. I think it could be DNS problems

     

    Another curious case is that I do not have a ping from the 10.111.2.0/23 subnet, even though I have created the 10.111.0.0/16 network in the addressbook, and the static route to be able to access the 10.111.0.0/16 network from the FW.


    @noobmaster wrote:

    Hi Aarseniev,

     

    Guess you are right. I can also see the same ARP being learnt for both the interfaces.

     

    f4:bd:9e:8c:0a:d1 10.111.0.1      reth0.0                  none
    f4:bd:9e:8c:0a:d1 10.111.0.1      fxp0.0                   none

     

    @danjr, can you make the suggested change? or Just deactivate the fxp0 interface for the purpose of testing? 


    ARP is duplicated because both interfaces are connected to the same network core

     

    Thx friends 

     



  • 11.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 12:19

    Hi Danjr,

     

    "To test on my network, I have created a route from the network core that sends traffic to ip 195.78.228.226 through ip 10.111.0.200 and I have connectivity" - - - - Does that mean you got the access to the Internet?

     

    "Another curious case is that I do not have a ping from the 10.111.2.0/23 subnet, even though I have created the 10.111.0.0/16 network in the addressbook, and the static route to be able to access the 10.111.0.0/16 network from the FW." - - - - Can you please draw a topology with IP addressing in it, because it is quite difficult to understand. If you were unable to access the intended traffic, please provide the session output and route output while generating traffic.



  • 12.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 14:47

    Hi noobmaster

     

     Does that mean you got the access to the Internet?

     

    I can do a traceroute to public ip and reaches the destination, but it does not resolve public domains

     

    Now I am at home, the network map is made with paint

     

    map.png

    The switch core is layer 3 and is the gateway for all subnets. have the following vlans defined

     

    • vlan 100 administration where the RETH0.0 link is connected 

             NETWORK 10.111.0.0/24 Vlan interface 10.111.0.1

     

    • vlan 101, WAN where the RETH1.0 link is connected 

     

    • Vlan 102 SERVERS where the FXP0 ports of each nodes are connected
      Network 10.111.2.0/23 Vlan interface 10.111.2.1

             In this Vlan my company's servers are connected (DC, DHCP, DNS ...)

     

    • Vlan 124 DATA in this vlan is where we are connected the workers of the company
      Network 10.111.24.0/21 Vlan interface 10.111.24.1

    I hope this helps

     

    thank you very much to all



  • 13.  RE: SRX300 totally configured but not internet connection

    Posted 07-16-2020 21:41

    Hey Danjr,

     

    Thanks for the topology.

     

    If I'm not wrong, you have 2 issues at the moment: DNS issue and PING issue.

     

    • When I change the route in my network core to redirect all traffic to 10.111.0.200 I have no connection to anything. I think it could be DNS problems.
    • Another curious case is that I do not have a ping from the 10.111.2.0/23 subnet, even though I have created the 10.111.0.0/16 network in the address book, and the static route to be able to access the 10.111.0.0/16 network from the FW.

    Let's sort the ping issue first and for that, I need you to provide me the below answers.

     

    1. From where you are initiating the ping, give me the source and destination IP address.
    2. user@route> show route <destination-ip>
    3. user@host> show security flow session source-prefix <source-ip> destination-prefix <destination-ip>   <<<< Capture this output when initiating the ping.
    4. user@host> show interfaces terse | match inet


  • 14.  RE: SRX300 totally configured but not internet connection

    Posted 07-17-2020 04:37

    Hello,

     

    Your SRX is doing source NAT - if You configured Your  network to "return traffic to 10.111.0.200", then this is wrong choice. You need to provide a return route to 213.27.140.187.

    And if You only allowed Your SRX to talk to 195.78.228.226, then this is insufficient, You also need to allow at least 1 public DNS such as 8.8.8.8 or 8.8.4.4.

    HTH

    Thx

    Alex

     

     



  • 15.  RE: SRX300 totally configured but not internet connection

    Posted 07-17-2020 05:02

    Hi all,

     

    Everything works correctly now. I am writing these lines through the internet connection of the firewall

     

    I have created a specific vlan only for the FXP0 ports, because when connecting them to VLAN 102 with network 10.111.2.0, it conflicted with my company's DNS server that are in the same VLAN. After this change, everything works correctly.

     

    I will have to update Junos os to a more current version, although currently I cannot download it because I do not have a maintenance account. I will ask my partner

     

    Thank you very much to all